Essays on information security risks and firm behaviors

Thumbnail Image
pataci, hilal
Issue Date
Electronic thesis
Research Projects
Organizational Units
Journal Issue
Alternative Title
This doctoral dissertation aims to examine the role of information security risks in shaping strategic decision-making within organizations. With the recognition that each breach incident can cost millions of dollars, firms have become increasingly aware of the importance of mitigating these risks and their impacts. The consequences of information security threats have compelled organizations to allocate significant time and financial resources to recover from breaches and proactively minimize their exposure to risk. While previous research has explored the impact of information security risk from different avenues, there remains a limited understanding of how these risks influence strategic decision-making. The dissertation proposes to address this gap by investigating the phenomena through three distinct essays. In the first essay, we explore if and how firms' information security risk perceptions shape their boundary-changing and risk-transfer behaviors. By building on the behavioral theory of the firm and attention-based view (Cyert and March 1963/1992; Gavetti et al., 2012), we shed light on how organizations' boundary-changing actions are shaped by their information security risk perceptions and how this association is moderated by attainment discrepancy. We developed a novel method to measure information security risk perception by fine-tuning ten domain-agnostic and one domain-specific state-of-the-art transformer-based NLP model with causal extraction. We found that information security risk perception is positively associated with relatively less risky boundary expansion behavior and risk hedging behavior but not with boundary preservation behavior. However, social attainment discrepancy (Iyer and Miller, 2008) positively moderates the association between information security risk perception and boundary preservation behavior and increases the propensity to divest. In the second essay, we examine if and how cyber-incident characteristics and firms’ cyber-security governance capabilities impact stock market reactions. Drawing on the efficient market hypothesis, task complexity, and IT failure literature, we theorize and empirically examine how cyber-incident complexity impacts stock market reaction and how a company’s information security governance shapes this association. We propose that complex cyber incidents arising from cyber-attacks by employing multiple attack vectors increase the damage potency and lead to negative market reactions, while an organization's effective governance in the notification and discovery of cyber incidents attenuates this association. We used an event study to compute the stock market reaction as the cumulative abnormal response (CAR) to publicly announced information security incidents on a sample of US firms obtained from the VCDB database. In the third essay, we investigate the impact of data breaches on organizations' digital strategic initiatives and explore their adaptive responses to breaches. Combining insights from institutional theory, adaptive learning theory, and generative learning theory, this essay aims to bridge the existing gap in understanding organizational adaptations to data breaches. It emphasizes the interconnectedness and interdependence of organizations within the cybersecurity landscape and underscores the influential role of internal and external institutional pressures in the learning process. The study proposes that the strength of institutional pressure, as indicated by proximity to breached entities, influences how firms reconfigure their digital strategic initiatives in alignment with industry standards. Additionally, internal pressures stemming from firsthand breach experiences shape the adaptation and reconfiguration of these initiatives. To operationalize digital strategic initiatives and their reconfiguration, a state-of-the-art language model is employed, utilizing the analysis of earnings call disclosures from S&P 500 companies.
School of Management
Full Citation
Rensselaer Polytechnic Institute, Troy, NY
Terms of Use
PubMed ID